General

  • Target

    1bba40cd593bed2b1f35529f02a1bc01.exe

  • Size

    4.2MB

  • Sample

    241219-h55cxavjfy

  • MD5

    1bba40cd593bed2b1f35529f02a1bc01

  • SHA1

    a0d27bf89c1d0ef1da317b101d134dd83a326fd9

  • SHA256

    0c9d197700bb3c5a707382a110a0466daa05c6d44793a60248c69c1784b02237

  • SHA512

    f75b3e7ea9751b2e3f02d90de33f46cee91a2c464d2e32072dc3ca5aef85cd3e46be44e87ac1201b3b9fe08ba015522d9094869347afe2809b30a3bc0c57182d

  • SSDEEP

    98304:gJf2TI4C0z0dAvtBgn2TRd5LWA9XZTO+NpL6714GxCZ9Zi9Qv/71C:4eTNC20S7gnKhWA9XZa4Gxq9Zi9Q5C

Malware Config

Extracted

Family

cryptbot

Targets

    • Target

      1bba40cd593bed2b1f35529f02a1bc01.exe

    • Size

      4.2MB

    • MD5

      1bba40cd593bed2b1f35529f02a1bc01

    • SHA1

      a0d27bf89c1d0ef1da317b101d134dd83a326fd9

    • SHA256

      0c9d197700bb3c5a707382a110a0466daa05c6d44793a60248c69c1784b02237

    • SHA512

      f75b3e7ea9751b2e3f02d90de33f46cee91a2c464d2e32072dc3ca5aef85cd3e46be44e87ac1201b3b9fe08ba015522d9094869347afe2809b30a3bc0c57182d

    • SSDEEP

      98304:gJf2TI4C0z0dAvtBgn2TRd5LWA9XZTO+NpL6714GxCZ9Zi9Qv/71C:4eTNC20S7gnKhWA9XZa4Gxq9Zi9Q5C

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Cryptbot family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks